Smart vault total weth balance can be converted to eth without user requesting so
Summary
Smart vault total weth balance can be converted to eth without user requesting so
Vulnerability Details
When vault owner initiate a swap there is a possibility that his total vault weth balance gets converted to eth.
Let consider this scenario
Alice send a bunch of tokens including eth and weth to her vault to be used as collateral
Then she swap some erc20 for another erc20 using the swap function
This function gets called and at the end of execution the function convert supposedely any returned weth into eth.
Problem is no weth can be returned but the contract at the same time owns weth to be used for another purpose
The total vault weth balance then gets forcefully converted into eth.
Impact
User weth collateral can be converted into eth, even in the case weth have not been accepted as collateral by token manager. This is a acase that does something the user does not expect.
Tools Used
Manual review, VsCode
Recommendations
instead of converting the total vault weth balance after the swap get the balance before swap and balance after swap and only convert the difference
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.